WannaCry? Take These Three Steps to Protect your Attack Surface

May 17, 2017, Steve Ginty

Today, it’s WannaCry, yesterday it was Struts2, the day before it was Heartbleed, and tomorrow will be a brand new threat to your organization’s attack surface.

While digital threats increase in velocity, volume, and adaptability, two things are certain: organizations need to think about their automating defenses for external threats, and need a complete and continuous inventory of their entire digital footprint from the perspective of the internet, as customers and adversaries see it.

Unfortunately, many security teams have a blind spot comprised of unknown and unmanaged internet-facing assets that often act as inroads for cyber attacks and data breaches from outside the firewall. According to the Ovum “On the Radar” Report, which recognized RiskIQ’s Digital Threat Management Platform, business operations, which are more often positioned outside the sight or management of IT, can prove difficult to control, and put business operations and reputation at risk.

To protect your organization from the next wave of threats, here are three things you need to consider.

Note: Acces the RiskIQ PassiveTotal Public Project for WannaCry here>>

1. Take these two steps immediately

The May 2017 attack leveraged the ETERNALBLUE exploit that was leaked by Shadow Brokers in March of 2017. The specific vulnerability utilized in this attack was found in Microsoft Windows systems, detailed by CVE-2017-0144, and was likely introduced into organizations through a malicious email attachment opened by a user connected to a corporate network. From the point of entry, the malware spread laterally as a worm.

To address the vulnerability, organizations should patch their Windows systems immediately. When the vulnerability was revealed in March, Microsoft issued a security bulletin and patch (MS17-010) to close the vulnerability. However, the patching process in many organizations is delayed or only done on a less-than-immediate basis, leaving a large number of workstations and servers vulnerable to WannaCry. This delayed patch process along with infrequent data backups led to thousands of organizations being affected by WannaCry, which is why active patching, upgrade, and backup cycles are crucial.

Make sure that systems are segregated to minimize any damage from a cyber attack and aren’t exposed to the internet by default (and not at all if they don’t need to be). Also, security teams should only whitelist connections when needed, both externally and on the internal network, and persistently monitor all networks for changes and unusual.

The following are resources we recommend to harden SMB usage in internal networks:

2. Know your Digital Footprint

Before last week’s now infamous attack with WanaCrypt0r ransomware, most organizations were mainly concerned with compliance fines, financial liability, and material loss of customer confidence through theft of data or fraud. Now, organizations need to consider the cost of the access to and resumption of their data and systems as well, which can be held hostage by automated ransomware attacks at internet scale.

Attackers performing reconnaissance will often find unknown, unprotected, and unmonitored assets to use as attack vectors. For a large enterprise, these types of assets are typically easy for even novice hackers and threat groups to find, and because they’re unmonitored, provide an easy way in and out. To defend yourself, you need to know what attackers see when they’re looking at your business from outside the firewall. After all, following an attack or breach, saying “we didn’t know that asset existed,” doesn’t alleviate the damage done.

The “On the Radar” report highlights RiskIQ Digital Footprint, which is a digital footprint discovery, generation, and management solution that is responsible for discovering the external web and digital assets associated with an organization. It provides the mapping, monitoring, and management facilities needed to plot an organization’s Internet attack surface accurately, and therefore, its external risk posture. It uses RiskIQ’s volumes of telemetric Internet data to generate a dynamic and evolving picture of an organization’s threat footprint, assessing at-risk domains, websites, applications, URLs, web page content, autonomous system numbers (ASNs), IP addresses, SSL certificates, and other online associations.

Once you have an accurate and current picture of your digital footprint—including the frameworks and web applications running on your external assets—it is far easier to understand and execute problem-resolution techniques to ensure that your external assets remain secure. This inventory of your assets is also critical for compliance with numerous industry and government regulations.

3. Have the right people and the right tools for the job

It is useful to have security analysts capable of investigating and working within the security community, as most enterprises were working this issue as it happened throughout the weekend. Those people need the right tools. With RiskIQ PassiveTotal(r), analysts can track indicators such as IPs and SSL certificates related to attacks, which in the case of WannaCry, could have pointed to other infected systems.

The Ovum report cited that RiskIQ offers security analysts detailed access to broad, correlated, and derived data presented in a way that enables faster, more revealing, threat investigations, as well as enabling collaboration and proactive monitoring. As a starting point for incident response teams and threat hunters, we have put together a public project that includes IP addresses and certificates associated with this most recent WannaCry attack that you can use in your to find related infrastructure and investigate across your organization: https://www.passivetotal.org/projects/cc66064c-f94d-4b84-6bcc-4ff3cf51afa9

If you don’t have the right people with the right tools, you don’t have a seat at the table, and that means you find out later—and those couple of hours could have put you at greater risk.